DLP Management Disappears from EAC in mid-2022
I don’t think many Microsoft 365 tenant administrators, let alone those who look after Exchange Online, read Microsoft’s Security, Compliance, and Identity blog. At least, the blog gets relatively poor amounts of traffic compared to EHLO. All of which makes it strange that Microsoft chose to announce a plan to remove Exchange Data Loss Prevention (DLP) policies from the Exchange Online admin center (EAC) in a place where those responsible for those policies might not see the news. Apparently, the removal will happen sometime in the April-June 2022 period.
The compliance blog appeared on September 16. A week earlier, when describing their plans to deprecate the old EAC by September 2022, the Exchange team said: “The DLP experience under compliance management in the classic EAC will soon be moved to the Microsoft 365 compliance center.” DLP is one of the missing pieces of functionality that haven’t appeared yet in the new EAC, so the question of just what would happen to Exchange DLP was up in the air. The DLP section in the classic EAC looks pretty bedraggled (Figure 1) and it’s obvious that Microsoft has left it wither away for the last few years.
No Sense in Moving to the Compliance Center
After reading the words in the Exchange blog, you’d imagine that Microsoft was planning to move the management of Exchange DLP policies to the Microsoft 365 compliance center. However, I don’t think this makes sense. How could you present one set of DLP policies which use Exchange transport rules to enforce their settings alongside a set of Microsoft 365 DLP policies, which can also process Exchange (using hidden transport rules) but also apply to other workloads? Sure, you could have two sections in the compliance center, but it would be confusing. It also doesn’t support Microsoft’s goal to eliminate workload-specific compliance processing and replace this technology with capabilities which apply across the ecosystem.
My theory is that Microsoft will simply never move the DLP policies from the old EAC. Sometime in the April-June 2022 period, the ability to manage DLP policies in EAC will disappear and you’ll be forced to use PowerShell to add, change, or remove DLP policies. And eventually, the PowerShell cmdlets will stop working.
Wake-Up Call to Do Something About DLP Now
All in all, it’s a wake-up call for tenants which use Exchange DLP policies today. It’s time to move to Microsoft 365 DLP policies. The old excuse that Exchange DLP policies were more powerful at processing email than their Microsoft 365 counterparts lost validity in April 2021 when Microsoft added a bunch of advanced controls for email (to be fair, this announcement also appeared in the compliance blog, so it was easy to overlook).
I’ve also heard people make the case that they need to keep Exchange DLP policies in Exchange Online because they use an equivalent set on-premises. This assertion always seemed strange to me because DLP processing occurs in the transport service and therefore depends on where your transport happens. If everything passes through on-premises servers, it’s reasonable to apply DLP checking there. But if Exchange Online handles email, the better option is to use Microsoft 365 DLP policies.
In any case, the writing is on the wall for Exchange DLP policies inside Microsoft 365. It’s time to make the transition and it’s better to be proactive about the move rather than be forced to respond when Microsoft announces a final date when these policies will stop working. That date could be several years in the future, but it’s best to use the technology that’s under active development instead of one that isn’t. Some of the functionality available for Microsoft 365 DLP policies, like the Activity Explorer (Figure 2), require Office 365 E5 licenses.
Now supporting approximately 220 sensitive information types (like credit card numbers) and the ability to define your own sensitive information types (like the Azure AD password example explained here), the base Microsoft 365 DLP functionality included in Office 365 E3 has many other little details to make administrative life easier. A recent favorite is the prompt when you go to turn off a policy which tells you how many recent matches the policy has had (Figure 3). It’s a simple but effective way to stop an administrator making a mistake and disabling an important policy.
One thing I don’t like is that DLP processing for Teams messaging (chats and channel conversations) require Office 365 E5 or Microsoft 365 Compliance E5 licenses. This doesn’t make sense when Office 365 E3 covers DLP checks against Exchange Online and SharePoint Online. My dismay is heightened by the way the Microsoft 365 compliance center offers the apparently oh-so-easy option to “extend” a policy to cover Teams without mentioning the small matter of the licensing implication (Figure 4). It’s not the right way to treat customers and anyway, the update option often doesn’t work because of conflicting settings in the policy.
To assist organizations in the transition, Microsoft has a playbook for conversion of Exchange DLP policies to Microsoft 365 DLP policies (or the term used in the playbook, EAC-DLP to MIP-DLP). It’s a reasonable starting point for a discussion about moving over and the migration wizard Microsoft built will likely meet the needs of many organizations.
Those who have probed the outer limits of DLP processing with hundreds of complicated rules will need more work to make sure that they can move all their policies over in a timely manner. Perhaps some policies are no longer required, and the overall processing can be simplified. Perhaps Microsoft 365 DLP processing generates more false positives than the older policies. No one can say what effort is required until the work is done to document and understand the existing DLP processing framework and test new policies to make sure that they deliver the expected results.
Time to Move
One thing’s for sure. Microsoft is not going to pour any further effort into Exchange DLP policies. All these will receive is a cursory glance from time to time with zero engineering effort. It’s time to move your data loss prevention to Microsoft 365 DLP policies.